Instead Lawsky banged on Big Four auditor Deloitte’s Financial Advisory Services business unit. DFS fined the firm $10 million this week and banned Deloitte from accepting new consulting engagements at financial institutions regulated by Lawsky. Deloitte’s violations took place while standing in the shoes of the regulator as a “monitor” at Standard Chartered. The original Deloitte engagement was the result of a 2004 joint written agreement between Standard Chartered and the New York State Banking Department – a DFS predecessor agency - and the Federal Reserve Bank of New York which identified several compliance and risk management deficiencies in the anti-money laundering and Bank Secrecy Act controls at Standard Chartered's New York branch.

The order addresses Deloitte's "misconduct, violations of law, and lack of autonomy during its consulting work" at Standard Chartered Bank on those anti-money laundering (AML) issues.

DFS's investigation into the conduct of firm professionals during its consulting work at Standard Chartered found that Deloitte:

Did not demonstrate the necessary autonomy required of consultants performing regulatory work. Based primarily on Standard Chartered's objection, Deloitte removed a recommendation aimed at rooting out money laundering from its written final report on the matter to the Department. The recommendation discussed how wire messages or "cover payments" on transactions could be manipulated by banks to evade money laundering controls on U.S. dollar clearing activities.

Violated New York Banking Law § 36.10 by disclosing confidential information of other Deloitte clients to Standard Chartered. A senior Deloitte employee sent emails to Standard Chartered employees containing two reports on anti-money laundering issues at other Deloitte client banks. Both reports contained confidential supervisory information, which Deloitte FAS was legally barred by New York Banking Law § 36.10 from disclosing to third parties.

More significant is the precedent Lawsky has set. It could be "very disruptive" for banks if other states, following New York's lead, ban consultants from operating and issue their own sets of regulations, says Francine McKenna, an accounting watchdog and journalist who has contributed to American Banker's BankThink columns.

"Banks will have to have a contingency plan if suddenly a very significant consultant stops working," she says.

Even though the New York sanctions on Deloitte would only apply to state-chartered banks, they could have a spillover effect in terms of industry-wide reputational risk. Some consultants expect to see big national banks — especially those already under regulatory scrutiny — also rethinking their use of the firm.

Deloitte’s law-breaking at Standard Chartered probably made officials at the Federal Reserve Bank of New York particularly uncomfortable. Deloitte’s audit arm is the financial auditor for the entire Federal Reserve system, and Deloitte also audits some of the firms the Fed has been highly dependent on during and after the crisis such as BlackRock. Deloitte’s actions at Standard Chartered belied its intended role as the eyes and ears of the Fed and DFS, making sure Standard Chartered corrected its money laundering ways. Instead, Deloitte helped Standard Chartered assuage regulator concerns by breaking the law and sharing confidential regulatory information with the bank from its other “monitor” engagements.

Deloitte has been working on a similar engagement to correct AML violations at the nationally chartered US operations of HSBC Holdings PLC in New Castle, Delaware, where the firm is again acting at the behest of the feds. The HSBC engagement is a "look-back" at thousands of old transactions ordered by the OCC in 2010 when the regulator cited the bank for multiple anti-money laundering failures. According to Reuters last year, it was not going well.

The New Castle look-back, overseen by consultants Deloitte LLP, was manned by more than 100 former law-enforcement officials, bank examiners and others. Many of them were working under contract with outside anti-money laundering consulting firms…In the HSBC look-back, one contractor said, many suspicious cases were "buried." In one case, the contractor wanted to find out why 13 parties had wired a total of $1.3 million into an HSBC account in Hong Kong on the same day. He said that when he asked a Deloitte supervisor to request that the Hong Kong office provide information about the customer, he was told that decision rested with the HSBC manager in charge of the account. The information never was provided, and the same contractor said he was later fired for not clearing enough alerts.

The look-back team held brief weekly meetings at which Deloitte overseers ticked off how many cases had been cleared and complained about delays. Several contractors said that investigators deemed slow on the job were fired.

Similar allegations - that Deloitte seems more eager to please a bank involved in a regulatory action rather than stand tough as the proxy for the regulator - recently surfaced at Lloyds Bank in the UK. That engagement addressed customer claims processing for payment protection insurance (PPI), designed to cover loan repayments for debtors who became ill, had an accident or lost their jobs.

PPI was mis-sold by UK banks on a massive scale to customers who did not want or need it. According to the London Evening Standard, Lloyds - the biggest PPI seller in the UK - was fined £4.3 million by the Financial Services Authority for not settling PPI claims promptly.

Lloyds Banking Group has admitted “issues” in the handling of PPI complaints and fired Deloitte which operated the unit.

It comes as an undercover reporter on The Times claimed that when he went through the training procedure to join the PPI complaint centre at Royal Mint Court he saw staff taught how to “play the system” against customers.

This included turning a blind eye to the risk that fraud may have been committed and knowing that most customers gave up if their complaint was rejected first time around.

Most of the headlines for news stories about Deloitte FAS’s agreement with DFS regarding Standard Chartered referred simply to “Deloitte”. Deloitte spokesman Jonathan Gandal tried to make the distinction in the firm's official statement:

Deloitte FAS looks forward to working constructively with DFS to establish best practices and procedures that are ultimately intended to become the industry standard for all independent consulting engagements under DFS’ supervision.

It is important to note that, as the agreement also states: “This is not intended to affect engagements performed by any Deloitte entity other than Deloitte FAS. Neither the fact of this agreement nor any of its terms is intended to be, or should be construed as, a reflection of any of the other practices of Deloitte-affiliated entities.”

So it’s not too surprising that the public, and even regulators, legislators, and some journalists are often confused about the difference between Deloitte LLP the audit firm, Deloitte Consulting the consulting firm (not to be confused with Deloitte FAS LLP a different consulting firm), and Deloitte the tax advisory firm when one of them gets into trouble. It’s also hard to separate the Deloitte global member firms such as Deloitte’s China firm when it’s sued or sanctioned for Chinese reverse merger fraud and refuses to cooperate with the US regulators from Deloitte Touche Tohmatsu the global “coordinating” firm and then from the Deloitte US firms. The Big Four audit firms look more and more like any other multinational corporation hiding behind myriad separate legal entities rather than global professional services partnerships providing “seamless” service delivery.

Reputation risk doesn’t seem to get in the way anymore of audit firms helping some criminal banks do lots of illegal things. That’s what I said when DFS first made the allegations against Deloitte in August of last year.

That’s what I warned about when Deloitte was awarded the “independent” consultant role at JP Morgan Chase, performing the “look back” review required by the OCC/Fed consent decrees signed with a dozen banks in April of 2011 as a result of foreclosure abuses. Deloitte has an even bigger incentive to cheat and look out for JPM Chase and itself on that engagement, rather than borrowers who were cheated by the bank. Most of the foreclosures Deloitte is “independently” reviewing are based on mortgages acquired by JPM from Bear Stearns and Washington Mutual, two of Deloitte’s audit clients before those institutions failed and were taken over by JPM.

I wondered out loud to NY DFS spokesman Matt Anderson, "How does DFS plan to make sure Deloitte, and the banks, don't circumvent the ban by shifting Deloitte FAS staff to other Deloitte entities and running new engagements through them?"

Anderson reassured me. "DFS has the ability to monitor compliance since it controls access to confidential supervisory information under its 36.10 authority. They can't access the information without our approval. The road runs through our agency."

Benjamin Lawsky and the NY DFS team are on it. Let's hope federal and state regulators in the US and international regulators follow that lead with similar tough actions against all the various forms, and firms, used by the Deloitte and its fellow Big Four enablers – PwC, KPMG and Ernst & Young.

Deloitte provided its full official statement, a portion of which was reproduced above, in response to my request for comment.